Fortinet Scrambles to Patch Actively Exploited FortiClient EMS Zero-Day (CVE-2026-35616)

Executive Summary

Fortinet has issued an urgent security advisory for a critical, actively exploited zero-day vulnerability in its FortiClient Endpoint Management Server (EMS). The vulnerability, tracked as CVE-2026-35616, has a CVSS score of 9.1 (Critical) and allows an unauthenticated, remote attacker to bypass API authentication and execute arbitrary code. Due to confirmed in-the-wild exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-35616 to its Known Exploited Vulnerabilities (KEV) catalog, requiring immediate patching by federal agencies. All organizations using the affected FortiClient EMS versions are urged to apply the provided hotfixes without delay to prevent system compromise.

Vulnerability Details

• CVE ID: CVE-2026-35616
• CVSS Score: 9.1 (Critical)
• Vulnerability Type: Improper Access Control (CWE-284)
• Description: The vulnerability is a pre-authentication API access bypass. An unauthenticated attacker can send a specially crafted request to the FortiClient EMS server to bypass both authentication and authorization for API endpoints. This allows the attacker to execute unauthorized commands or code on the server with the privileges of the EMS service, leading to a full system compromise.

Affected Systems

The vulnerability impacts the following versions of FortiClient EMS:

• FortiClient EMS version 7.4.5
• FortiClient EMS version 7.4.6

Note: The 7.2 branch of FortiClient EMS is reportedly not affected by this vulnerability.

Exploitation Status

Fortinet has confirmed that it has observed active exploitation of CVE-2026-35616 in the wild. Following this confirmation, CISA added the vulnerability to its KEV catalog on April 6, 2026, with a remediation deadline of April 9, 2026, for Federal Civilian Executive Branch (FCEB) agencies. The Cyber Security Agency of Singapore (CSA) has also issued a corresponding alert, indicating a global threat.

Impact Assessment

A successful exploit of CVE-2026-35616 has severe consequences. The FortiClient EMS is a central management server for an organization's endpoints. Compromising the EMS server could allow an attacker to:

• Gain complete control over the EMS server itself.
• Push malicious updates or configurations to all connected FortiClient endpoints.
• Disable security controls across the entire managed fleet of devices.
• Use the compromised EMS as a pivot point to move laterally within the corporate network.

This represents a catastrophic failure of the endpoint security management infrastructure.

Cyber Observables for Detection

Security teams should hunt for signs of exploitation attempts in their logs:

• Log Source: Web server logs for the FortiClient EMS service (e.g., IIS, Nginx).
• Observable: Monitor for HTTP requests to FortiClient EMS API endpoints that lack proper authentication tokens or originate from untrusted, external IP addresses.
• Observable: Look for anomalous process execution originating from the FortiClient EMS process, such as powershell.exe, cmd.exe, or wscript.exe.
• Observable: Check for newly created files in system directories or unexpected outbound network connections from the EMS server.

Detection Methods

• Vulnerability Scanning: Use vulnerability scanners with updated plugins to identify affected FortiClient EMS versions in your environment.
• Log Analysis: Create SIEM rules to alert on unauthenticated access attempts to sensitive API endpoints on the EMS server. Correlate web server access logs with endpoint process logs to detect post-exploitation activity.

D3FEND Techniques

• Network Traffic Analysis (D3-NTA): Analyze traffic to the EMS server to identify anomalous request patterns or connections from known malicious IPs.
• Process Analysis (D3-PA): Monitor the EMS server for suspicious child processes or command-line executions indicative of post-exploitation activity.

Remediation Steps

Immediate patching is the only effective remediation.

1. Prioritize Patching: Identify all internet-facing FortiClient EMS servers and patch them immediately. These are at the highest risk.
2. Apply Hotfix: Fortinet has released hotfixes for the affected versions. Customers must download and apply these patches as soon as possible.
3. Upgrade: A full fix will be included in FortiClientEMS version 7.4.7. Plan to upgrade to this version once it becomes available.
4. Compensating Controls: If patching is not immediately possible, restrict access to the FortiClient EMS management interface to a limited set of trusted IP addresses. This is a temporary measure and does not replace the need to patch.
5. Hunt for Compromise: After patching, assume compromise and hunt for indicators of malicious activity on the EMS server and connected endpoints.

D3FEND Countermeasures

• Software Update (D3-SU): This is the primary and most critical countermeasure. Applying the security update from Fortinet directly remediates the vulnerability.